Medical Devices Are The Weak Link

For many users of Johnson & Johnson’s OneTouch Ping insulin pump, the benefit of ease of use has been outweighed by the fear of hacking.

In early October, the company sent letters to patients using the devices, alerting them to the fact that the OneTouch contained a cybersecurity flaw that could allow a hacker to reprogram the device to administer additional doses of the diabetes drug, which could be life-threatening.

In its letter to patients, Johnson & Johnson portrayed the risk as minimal. “The probability of unauthorized access to the OneTouch Ping System is extremely low,” it noted. “It would require technical expertise, sophisticated equipment and proximity to the pump.”

A spokesman for the company says it’s working to eliminate the vulnerability; it has laid out a series of steps patients can take to reduce the risk, such as turning off the pump’s wireless connection to a blood-sugar meter, or setting a limit on the amount of insulin that can be delivered.

The announcement is yet another stark reminder of known security issues that exist with medical devices, widely used by both providers and patients. Indeed, this is not the first time concerns have surfaced about the ease of hacking medical devices.

In mid-2015, the Food and Drug Administration took the unprecedented step of alerting users about cybersecurity vulnerabilities of the Hospira Symbiq Infusion System. The agency strongly encouraged healthcare facilities to discontinue use of the pumps.

And the FDA is not the only federal agency shining a spotlight on the vulnerabilities of medical devices. In 2014, the Federal Bureau of Investigation issued a report that predicted hackers could assail medical devices, and followed that up with an alert last year warning companies and the public about cybersecurity risks to networked medical devices and wearable sensors.

The threat to patient safety carries the biggest shock value, and healthcare organizations are widely concerned about those risks.

But the devices also pose risks to the networks of healthcare organizations, because they typically have weak defenses against malware and a medical device could serve as an easy entry point to providers’ internal data networks.

Security experts and federal officials say the devices could become the focal point of a perfect storm for compromising healthcare data security and placing patient safety at risk. That’s because the vulnerability of devices to cyber-attacks is well known, and hackers are becoming emboldened to find new ways to attack healthcare organizations.

Most security professionals are worried about the vulnerability of a myriad of networked medical devices that have Internet connectivity, from infusion pumps and X-ray scanners to picture archiving and communications systems, blood gas analyzers, medical imaging devices, medical lasers, life support equipment and many more.

These devices are expensive and last a long time, and providers may have them in place for five, 10 or 15 years or more, says Axel Wirth, healthcare solutions architect for Symantec. Software running the devices may be years old as well, and typically not easily protected by cyber defense software. 

What’s more, in many cases the devices are managed just by the manufacturer’s technicians, not a provider’s IT security staff.

Information Management:                  Medical Devices Vulnerable to Hackers:
 

« UK National Cyber Security College Locates To Bletchley Park
War In The Information Age »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Chatham House Cyber Conference

Chatham House Cyber Conference

14 June 2023 - Connect with cyber security experts and senior policymakers to explore the role of cyber security in the global economy and how to deliver an open and secure internet.

Perforce Software

Perforce Software

Perforce helps companies build complex software products more collaboratively, securely, and efficiently.

The Josef Group (TJG)

The Josef Group (TJG)

The Josef Group Inc. is a certified woman-owned permanent staffing agency specializing in Information Technology, Engineering, and US Government "cleared" IT candidates.

CrowdStrike

CrowdStrike

CrowdStrike is a global provider of security technology and services focused on identifying advanced threats and targeted attacks.

Barracuda Networks

Barracuda Networks

Barracuda provides a range of solutions covering network security, data storage, protection and disaster recovery.

Cyberwatch

Cyberwatch

Cyberwatch is a Vulnerability Scanner & Fixer software that helps you to detect and fix the vulnerabilities of your Information System,

US Cyber Command (USCYBERCOM)

US Cyber Command (USCYBERCOM)

USCYBERCOM conducts activities to ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries.

Nettitude

Nettitude

Nettitude, an LRQA company, is an awards winning provider of cyber security, compliance, infrastructure and incident response services.

DataArt

DataArt

DataArt is a global technology consultancy that designs, develops and supports unique software solutions. Areas of activity include software security testing.

Alsid

Alsid

Alsid helps corporates to anticipate attacks by detecting breaches before hackers can exploit them.

AlertEnterprise

AlertEnterprise

AlertEnterprise uniquely eliminates silos and uncovers blended threats across IT Security, Physical Access Controls and Industrial Control Systems.

SafeHouse Technologies

SafeHouse Technologies

SafeHouse is a cloud-based, high-end cybersecurity platform that can secure and insure any device that is connected to it.

The Cyber AB

The Cyber AB

The Cyber AB is the official accreditation body of the Cybersecurity Maturity Model Certification (CMMC) Ecosystem.

BlackDice Cyber

BlackDice Cyber

Threat Intelligence is only part of the solution. Our solution matches threats to vulnerabilities and automatically takes remedial action against compromised apps, devices and websites.

Apptega

Apptega

Apptega is an award-Winning Cybersecurity and Compliance Platform. Our mission is to make cybersecurity and compliance easy for everyone.

Contextual Security Solutions

Contextual Security Solutions

Contextual Security Solutions is a leading provider of penetration testing services and IT security & compliance audits.

Security BSides Cayman Islands

Security BSides Cayman Islands

Security BSides is a non-profit, community-driven event built for and by information security community members. Our aim is to help build an Information Security community in the Cayman Islands.